Batavia Spyware Campaign Unleashes Sophisticated Windows Malware in Cyber Espionage Operation

A newly uncovered cyber-espionage campaign called Batavia Spyware is actively targeting Russian industrial organizations through a sophisticated Windows-based malware attack. Initially spotted by a cybersecurity company, Kaspersky, the campaign dates back to mid-2024 and has accelerated in the first months of 2025. It starts with phishing emails that seem to have official contract-related documents. These emails sample people into installing a malicious Visual Basic script (.vbe), which undertakes a multi-stage infection procedure.

Once executed, the script profiles the system and downloads a disguised application named WebView.exe from a spoofed domain. This program shows a fake contract viewer and at the same time requests sensitive data such as documents, screenshots, system logs, and details of installed software. Stolen data is then exfiltrated to a command and control server on another false domain. Other pieces of malware are placed to increase the data gathering capabilities, gain persistence, and permit further monitoring in the infected system, like javav.exe. These layered tactics highlight the advanced nature of the Batavia Spyware operation.

Still, the security researchers suspect that there is a final payload that is run with a User Account Control (UAC) bypass trick, and in this way, the attackers elevate their rights to do this and act undetected. Most of the victims have been targeted so far, including over 100 users of different organizations in Russia, with the nature of the operation suggesting a clear focus on espionage and not monetary gain intentions. The level of coordination, technical sophistication, and choice of targets suggests the involvement of a highly capable and possibly state-backed threat actor behind the Batavia Spyware campaign.

The experts are appealing to companies, especially those operating in the industrial, logistics, and energy sectors, to strengthen company security. Suggestions are to enforce phishing detection, limit script execution, watch activity, and implement endpoint monitoring, behavior-based. The Batavia Spyware campaign is a stark reminder of the evolving threat landscape and highlights the urgent need for advanced, proactive cybersecurity measures to defend against stealthy, multi-layered attacks like this one.